ASD Office Hardening - Macros Enabled for Trusted Publishers
This section describes the configuration of device configuration profiles within Microsoft Intune associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.
Estimated reading time: 5 minutes
Instruction
The below tables outline the as built configuration for ASD’s Blueprint for Secure Cloud (the Blueprint) for the Microsoft Intune portal at the following URL:
The settings described on these pages provide a baseline implementation for a system configured using the Blueprint. Any implementation implied by these pages should not be considered as prescriptive as to how an organisation must scope, build, document, or assess a system.
Implementation of the guidance provided by the Blueprint will differ depending on an organisation’s operating context and organisational culture. Organisations should implement the Blueprint in alignment with their existing change management, business processes and frameworks.
Placeholders such as <ORGANISATION.GOV.AU>, <BLUEPRINT.GOV.AU> and <TENANT-NAME> should be replaced with the relevant details as required.
Basics
| Item | Value |
|---|---|
| Name | ASD Office Hardening - Macros Enabled for Trusted Publishers |
| Description | |
| Platform | Windows 10 and later |
Assignments
Included groups
| Item | Value |
|---|---|
| Groups | All devices |
Excluded groups
None
Scope tags
| Item | Value |
|---|---|
| Scope tags | Default |
Configuration settings
Administrative Templates
| Item | Value |
|---|---|
| Windows Components > Microsoft Management Console | |
| Restrict users to the explicitly permitted list of snap-ins (User) | Enabled |
Microsoft Access 2016
| Item | Value |
|---|---|
| Disable Items in User Interface > Custom | |
| Enter a command bar ID to disable (User) | 19092 |
| Disable commands (User) | Enabled |
| Application Settings > Security > Trust Center | Disable all except digitally signed macros |
| Block macros from running in Office files from the Internet (User) | Enabled |
| Turn off trusted documents (User) | Enabled |
| Turn off Trusted Documents on the network (User) | Enabled |
| VBA Macro Notification Settings (User) | Enabled |
| Application Settings > Security > Trust Center > Trusted Locations | |
| Allow Trusted Locations on the network (User) | Disabled |
| Disable all trusted locations (User) | Enabled |
Microsoft Excel 2016
| Item | Value |
|---|---|
| Excel Options > Security > Trust Center | Disable all except digitally signed macros |
| Block macros from running in Office files from the Internet (User) | Enabled |
| Trust access to Visual Basic Project (User) | Disabled |
| Turn off trusted documents (User) | Enabled |
| Turn off Trusted Documents on the network (User) | Enabled |
| VBA Macro Notification Settings (User) | Enabled |
| Excel Options > Security > Trust Center > Trusted Locations | |
| Allow Trusted Locations on the network (User) | Disabled |
| Disable all trusted locations (User) | Enabled |
| Scan encrypted macros in Excel Open XML workbooks (User) | Enabled Scan encrypted macros (disabled) |
| Disable Items in User Interface > Custom | |
| Enter a command bar ID to disable (User) | 19092 |
| Disable commands (User) | Enabled |
Microsoft Office 2016
| Item | Value |
|---|---|
| Security Settings > Trust Center | |
| Allow mix of policy and user locations (User) | Disabled |
| Macro Runtime Scan Scope (User) | Enabled Enable for all documents |
| Disable VBA for Office applications (User) | Disabled |
| Disable all Trust Bar notifications for security issues (User) | Enabled |
| Automation Security (User) | Enabled |
| - Set the Automation Security level (User) | Use application macro security level |
Microsoft PowerPoint 2016
| Item | Value |
|---|---|
| PowerPoint Options > Security > Trust Center | Disable all except digitally signed macros |
| Block macros from running in Office files from the Internet (User) | Enabled |
| Trust access to Visual Basic Project (User) | Disabled |
| Turn off trusted documents (User) | Enabled |
| Turn off Trusted Documents on the network (User) | Enabled |
| VBA Macro Notification Settings (User) | Enabled |
| PowerPoint Options > Security > Trust Center > Trusted Locations | |
| Allow Trusted Locations on the network (User) | Disabled |
| Disable all trusted locations (User) | Enabled |
| Scan encrypted macros in PowerPoint Open XML presentations (User) | Enabled Scan encrypted macros (default) |
| Disable Items in User Interface > Custom | |
| Enter a command bar ID to disable (User) | 19092 |
| Disable commands (User) | Enabled |
Microsoft Project 2016
| Item | Value |
|---|---|
| Project Options > Security > Trust Center | Disable all except digitally signed macros |
| Allow Trusted Locations on the network (User) | Disabled |
| Disable all trusted locations (User) | Enabled |
| VBA Macro Notification Settings (User) | Enabled |
Microsoft Publisher 2016
| Item | Value |
|---|---|
| Security > Trust Center | Disable all except digitally signed macros |
| VBA Macro Notification Settings (User) | Enabled |
| Publisher Automation Security Level (User) | Enabled By UI (prompted) |
| Disable Items in User Interface > Custom | |
| Enter a command bar ID to disable (User) | 19092 |
| Disable commands (User) | Enabled |
Microsoft Visio 2016
| Item | Value |
|---|---|
| Visio Options > Security > Trust Center | Disable all except digitally signed macros |
| Allow Trusted Locations on the network (User) | Disabled |
| Block macros from running in Office files from the Internet (User) | Enabled |
| Disable all trusted locations (User) | Enabled |
| Turn off trusted documents (User) | Enabled |
| Turn off Trusted Documents on the network (User) | Enabled |
| VBA Macro Notification Settings (User) | Enabled |
| Visio Options > Security > Macro Security | |
| Enable Microsoft Visual Basic for Applications project creation (User) | Disabled |
| Load Microsoft Visual Basic for Applications projects from text (User) | Disabled |
| Disable Items in User Interface > Custom | |
| Enter a command bar ID to disable (User) | 19092 |
| Disable commands (User) | Enabled |
Microsoft Word 2016
| Item | Value |
|---|---|
| Word Options > Security > Trust Center | Disable all except digitally signed macros |
| Block macros from running in Office files from the Internet (User) | Enabled |
| Scan encrypted macros in Word Open XML documents (User) | Enabled Scan encrypted macros (default) |
| Trust access to Visual Basic Project (User) | Disabled |
| Turn off trusted documents (User) | Enabled |
| Turn off Trusted Documents on the network (User) | Enabled |
| VBA Macro Notification Settings (User) | Enabled |
| Word Options > Security > Trust Center > Trusted Locations | |
| Allow Trusted Locations on the network (User) | Disabled |
| Disable all trusted locations (User) | Enabled |
| Disable Items in User Interface > Custom | |
| Enter a command bar ID to disable (User) | 19092 |
| Disable commands (User) | Enabled |
Related information
Security & Governance
- Operating System Hardening
- User Application Hardening
- Essential Eight: Restrict Microsoft Office Macros
- Essential Eight: Patch Applications
- Essential Eight: Regular Backups
- System Management
- System Monitoring
- Enterprise Mobility
- Application Control
Design
- None identified
Configuration
References
- None identified